Have something to say?

Ready to be published? LXer is read by around 350,000 individuals each month, and is an excellent place for you to publish your ideas, thoughts, reviews, complaints, etc. Do you have something to say to the Linux community?

Linux Malware: Should we be afraid?

Given the recent Hand of Thief-news, in which RSA's Limor Kessem explains how a Linux malware-kit is sold on Russian websites, I have been contemplating about Linux security again.

Not only that, after I switched to Ubuntu, I also noticed how easy it is to add new repositories for some cool new programs not in the official repository yet. Sure, while doing so you think "Hmm, there could always be a virus in it, but I think those people are trustworthy. If there's malware in it, other people might already have noticed it in the source code". At least, that's what I usually hope.

Besides, the OS is becoming more and more "unimportant" for crackers; nowadays the browser is taking over lots of roles from the OS. These days, it's all about Javascript, Adobe's Flash and - to a lesser degree - Java, all of them full of potential security shoot-through holes. Linux users are quite lucky Adobe's PDF reader is no common tool on Linux, besides Flash and Java waning in importance. It saves minor headaches, but the main ones remaining.

The Password blues

Besides, most of my year-old passwords aren't that secure anymore either, according to ArsTechnica's most excellent article Why passwords have never been weaker and crackers have never been stronger. Main take-home message from the article: Any password less than 9 characters is easy to crack within an hour with, well, for "gamers" modest hardware. And to make things even more miserable, lots of websites 'fooled up' security. In fact lots of even bigger websites cannot be trusted with our passwords. Any password shorter than 9 characters you store on a website, once that website is cracked - should be considered vulnerable to 'reverse-lookup'. Where reverse-lookup means: Even if your password is not saved in plain text, the attacker can regain it from the hash by brute-forcing using General Computing on GPU's (GPGPU's) with programs written using OpenCL or NVidia's CUDA. This means if one website is hacked, all your other accounts with the same login / password should also be considered breached.

This all puts a question mark above my head (you see it, huh?) concerning the security of my actions on my Ubuntu-desktop these days.

The ultimate malware-kit?

To put it in some context:

Though a malware-kit for Linux is available, there are no exploits - yet. For Windows it's pretty easy to buy an exploit kit - you can almost buy them in the supermarket next to the groceries in the discount corner, while for Linux it isn't that simple. However, once an exploit for Linux is found, it's really dangerous as the attackers can just install one package on your OS which takes care of everything. That is, not only sniffing for bank credentials, but also trying to block safety-updates. They try to do so via DNS / host blocking, and the kit even has SOCK5-proxies on board and software-attempts to break outside sandboxes. So, let's say if in the past if a Linux exploit was found, it would have been much work to use that exploit to do malicious things. Now, however, after the exploit has been found, there's a high level of automation available to the malicious attacker. They can sit back, relax while zipping a coffee or vodka and their malware kit will be doing all the hard and daunting work.

Of course, we could discuss if Linux is inherently more secure than Windows, given metrics such as severeness of security flaws and days to patch, such as SJVN does. Also, we could say: "My bank doesn't use username / password login, they use a token and two-way authentication. So even if my login and pass has been found, they cannot steal my money".

But that's not what keeps my mind busy at the moment. What keeps my mind busy is: How easy is it for a cracker to change the DNS-system in my router, so that they can try to 'resolve' the name of my bank to _their_ IP? Why is it 99% of the Linux-routers in the world will never be updated? Why is Andoid so seemingly insecure - and may I add buggy and irresponsive, even if it has a Linux-kernel? Are there any user-friendly Android-alternatives which are more secure and work on my telco's network?

What about _me_ and _you_?

What if Ubuntu has an exploit and if people put the mentioned Hand-of-Thief malware on my or your PC? Will we notice? Will the malware-kit be able to send our name and bank account number to Russia? Now, true, LXer-readers - at least those who post opinions and discuss in the forum - are usually quite Linux-savvy. But contrary to some (I hope most) of them, I have to confess, I don't have intrusion detection or rootkit scan-schemes. OK, I ran both OpenBSD and Hardened Gentoo and hardened-gcc in the past, but nowadays I'm lazy and just use Ubuntu. Also, besides being lazy, using Ubuntu helps me help new Linux-users, as lots of those are on Ubuntu. That means, for all I know, my binaries are the same as for other people who use Ubuntu, unlike in my past "Gentoo-days".

All of this leads me to wonder, what can I do? Sure, after reading the Ars-technica article I "upped the ante" and went for 11 character per-site passwords without dictionary words in them. But is it enough?

Recently, I was troubleshooting an infected Windows 7-laptop, to notice it had Firefox-addons with the same name as a virus. It was then, when I found out that programs can install addons and search bars from _outside_ the browser. What happened to "only install addons from trusted locations?" I tried to find out how I can block addons from beyond the trusted Mozilla-website, but to no avail. I also tried to find out if it was possible to disable all addons and only whitelist a few I trust. Disabling all addons came close, but no cigar.

Untrustworthy repositories - the twenty-tens nightmare?

This brings me to the next topic: It's really easy to add PPA's in Ubuntu. When discussing the mentioned "lazy-Google" flaw regarding Android-Linux, one might say "But that's only if you use the unofficial repository, usually a Chinese one with pirated Android-Packages (apk's). And you're south of dumb and insanity if you use those, everybody knows they're full of malware". So would I say, in fact. But isn't that hypocritical?

As using unofficial untrustworthy repositories is - as far as I know - exactly what PPA's are? It would only take 1 clever attacker to make a seemingly "I want to have it!!" Ubuntu killer app and put it in his PPA to take control over those who are dumb enough to add said PPA. Maybe that's the kind of "social engineering" the seller of the Hand-of-Thief kit was aiming at when asked about the "attack vector". Of course, this goes for most distro's : In Debian, it's easy to add sources to the list, Fedora I think makes it easy to install RPM's found on the web, and also Gentoo always had overlays and even other ways to install "unauthorized" stuff. What's next? Will Canonical and RedHat have to build a white- and blacklist of repositories?

It seems after all, the whole idea of one trusted repository isn't that bad. Sadly, however, lots of efforts by the Linux-community is wasted on replicating the efforts and maintaining multiple repositories. Because of all the duplicate work, there are not enough people to test / include all "offered" packages in mainline, which is exactly why people have "personal overlays" and PPA's, a long Debian Sources.list or hunt for RPM's to "click and install". I've seen it happen in Gentoo: It sometimes takes ages before a straightforward version bump is in the official repository, so people start to use other less official and less safe ways.

Firefox has the same issue: Usually, you want some addons to make your life easier. However, because it's so easy to install an addon, if I were a malicious attacker, I'd try to write a Firefox-addon which steals bank credentials. I don't need root-access to do so, Firefox access at the user level is enough. That it's possible these days to install Addons in Firefox bypassing Mozilla's Addon website was quite a shock to me. OK, it was a Windows-box, and it happened when I tried to install a .exe I found on the web, but when the installer asked if it was allowed to install a Firefox-addon, I'm pretty sure I said "No". However, after opening Firefox, I still found the new "search engine" (can I say: "Advertizement banner") installed - and also turned on "as default search engine". I hoped this was only IE, but Firefox is turning into this hell as well:

Maybe, after all, Linux-critics might be right: Once more people use Linux, more attackers will try to write malware and exploits for it. I always denied it, but am ready to change my mind.

Gradually, running Xombrero on an OpenBSD-image in VirtualBox for e-banking doesn't seem as such a bad idea anymore. In the mean time, I might be investigating ways to "harden Ubuntu" in other ways. Actually, I started using Ubuntu because I wanted to spend less time managing the operating system - like I did in Gentoo (emerging whole day!)- and spending more time actually doing usefull stuff for AFK-life. But bummer, guess what: Actually spending time to manage the OS seems to be necessary these days. Avoiding user friendly solutions such as Ubuntu and Firefox and using NoScript may actually have merit - from a security point of view.

Remembering those lucky days!

It remembers me of the days when I used AES-encryption with a 32-character keyphrase and feeding arguments manually to the dm-mapper, finding out why my hardened-Gentoo - of course with SE Linux enabled - didn't want to run certain programs using strace and trying to understand the Backus-Naur notation of man sudo. And later manually adding lots of whitelist-websites to NoScript. All of that in the cold winter. Without having eaten and no food in the house. With consecutive hours of rain outside. With a sore bum on a mediocre second hand chair. After midnight. In the dark. Alone.

So, here's my question to you: Are you afraid attackers break into your Linux boxes? Do you sniff and snort- ehr, your network, that is? Do you scan for rootkits from time to time, and check md5-sums of executables against your "trusted-list"? Do you consider one distro safer as another? What is your level of paranoia? Is the alu-foil within reach?